This years seemingly endless series of data scandals and breaches have transformed the way that citizens and governments think about data privacy, writes Nick Caley, VP of Financial Services and Regulatory, ForgeRock

As a result, consumers’ trust in the data-driven business model which underscores the global digital economy, has plummeted.

Nick Caley, VP of Financial Services and Regulatory, ForgeRock

With governments across the world scrambling to react to this shift, data privacy regulations are set to be a major talking point in 2019, leading to some fundamental changes to the way that personal data is collected, managed and shared.

Data Privacy: It Began with GDPR but What’s Next?

2018 has been defined in many ways by the GDPR, which set a new global standard for data security and privacy.

Since it was passed, at least ten other countries including Argentina, Australia and Brazil have moved to implement similar rules. For advanced economies, updating their domestic legislation will be relatively straightforward. In some cases, these countries are copying the EU’s GDPR almost word for word.

Emerging countries have a more daunting task ahead. They must balance the need to access the EU’s market of 500 million customers (which is contingent on compliance with regulations such as the GDPR), pressure to adapt to evolving global privacy norms, and the economic imperative to encourage domestic innovation. After all, a national privacy law imposes the same restrictions and freedoms on every business in a country, even if they only sell at home. Developing economies such as Argentina, Uruguay and India have managed to devise comprehensive regulatory frameworks on par with the EU’s rules whilst also being sensitive to their own economic and cultural trajectory.

Land of the Free?

The US faced its own unique challenges designing and implementing a national privacy law – and the outcome of this process is likely to have major implications for the regulations worldwide.

In June, the state of California enacted the Consumer Privacy Act (CPA) due to come into force in 2020. This latest regulatory broadside, alongside Vermont’s recent landmark law regulating data broker’s activities, heralded a national movement for data privacy. While Vermont and California are at the vanguard of US data privacy regulatory efforts, the attention of legislators at all levels of government has now been captured by this issue. As one prominent US senator put it, the question is no longer whether the US needs a law to protect consumers’ privacy, but what shape that law will take.

Sensing this, some of the tech giants in the US are acting preemptively to create and support a federal privacy law – on their terms – through industry lobby groups like the ITI and Internet Association which will override the unfavourable patchwork of state legislation. For example, one prominent tech company in November proposed a federal data privacy bill which would shield companies from fines if they simply attest that they are taking ‘strong measures to protect consumer data’. While others like IBM, Microsoft and Apple have all publicly expressed their support for ‘comprehensive privacy legislation’.

These lobbying efforts, and public discourse surrounding them, will influence the direction of not only a US law, but privacy regulations across the world as these companies fight market-to-market to influence the rising tide of data privacy regulations. For example, the ITI, a lobbying group backed by Google, Facebook, Twitter and a host of other major tech companies, recently released a framework on data privacy to guide federal policymakers on future legislative efforts in this area. While the framework indicates that the members of the council are submitting to self-regulation, it builds in a lot of leeway for the tech industry.

A federal US data privacy bill will almost certainly differ from the GDPR in fundamental ways. This is due to the deep philosophical difference between the two jurisdictions in how they view privacy and data protection, which are understood as fundamental rights in the EU but not on the other side of the Atlantic. The basic architecture of a modern, balanced and flexible privacy framework in the US should ideally be characterised by four elements: an overarching law; a core set of data protection and security principles which embodies the three C’s of choice, control and convenience; enforceable individual rights; and finally, an independent authority (ie not the FTC) with effective powers to supervise and enforce the rules. Federal privacy legislation which adheres to this framework will restore a baseline level of trust for consumers and reassure them that their data is being used properly.

The EU Privacy Battle will Intensify in 2019

Through the GDPR, Europe is leading the world in internet privacy and data protection. However, the EU is still far from achieving a high-water mark for data privacy. In 2019, a new privacy battle will be fought between consumer and industry interest groups who – having failed to stop GDPR – will throw all their resources behind blocking or, at the very least, diluting ePrivacy, a supplemental regulation designed to ‘complete’ the EU’s data privacy framework.

As the name implies, the GDPR deals with the general regulation of personal data. The proposed update to ePrivacy rules is intended to work in conjunction with the GDPR — specifically covering electronic communications, online marketing and advertising. It is proposed to bring up to date the laws controlling the use of metadata, gathered through tracking technologies including, but not limited to cookies. The regulation aims to combat the rampant profiling and behavioural advertising that underpins the adtech business model, doing so by requiring transparency of purpose and affirmative (and explicit) consent.

The ePrivacy Regulation will hopefully help support alternative models that don’t use aggressive tracking by putting the emphasis back where it should be: respect for privacy. There will be a first-mover advantage for companies that embrace strategies which build in privacy by design and default. Going beyond mere compliance and offering a true exchange of value with insights, incentives and offers in return for customers offering their data voluntarily without the use of opaque and intrusive tracking technologies.

It’s Time to Embrace Privacy and Consent

The rising tide of privacy regulations prompted by GDPR and the global shift in consumer awareness around data issues is set to lead to a new era for how personal data is captured and handled. The specifics of each regulation will of course differ but they all share a common goal: empowering consumers with ownership over their data. As these new rules come into force, businesses can either ride the wave and thrive in a post-GDPR world, or drown under the weight of evolving consumer expectations as they abandon organisations that they think are untrustworthy.